Use OAuth 2.0 token-based authentication with IBM Connections Mobile App

by Christoph Stoettner
Read in about 2 min · 387 words

Fountain pen and a notebook

Photo by Aaron Burden | Unsplash

A lot of people don’t like to store credentials in mobile apps or browsers. A good workaround is the usage of OAuth 2.0 tokens, but the application needs to support it and the server you’re talking to too. The IBM Connections Mobile App can use it for authentication.

OAauth2 can be used directly with WebSphere Application Server and Connections 6.0. There are no special OAuth servers or applications needed!

The Documentation at IBM was a little bit confusing for me, there are lots of sidenotes, but you just need to do following steps, to use OAuth 2.0 token-based authentication with the IBM Connections Mobile App.

== Register Client

Open wsadmin and add the client identifier for the mobile app:

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin

./wsadmin.sh -lang jython -username was-user -password password

execfile('oauthAdmin.py')

OAuthApplicationRegistrationService.addApplication("connections_social_mobile", "Connections Mobile", "com.ibm.ibmscp://com.ibm.mobile.connections/token")

Now open connectionsProvider.xml in /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/cellName/oauth20/! Set the following value to true:

<parameter name="oauth20.allow.public.clients" type="cc" customizable="true">
    <value>true</value>     
</parameter>
  • Default is false here!

Now the OAuth Provider needs to be recreated (start command in Dmgr01/bin):

Linux

./wsadmin.sh -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/nameCell01/oauth20/connectionsProvider.xml]')" -username wasadmin -password password

Windows

wsadmin.bat -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName d:/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/nameCell01/oauth20/connectionsProvider.xml]')" -username wasadmin -password password

The Documentation tells you to restart all Application Servers now. I would wait until you finished the mobile-config.xml changes.

Enable OAuth in mobile-config.xml

mobile-config.xml

...
<!-- SECURITY SETTINGS SECTION -->
<SecuritySettings enabled="true">
    <AuthType>OAuth</AuthType>  
    ...
    <OAuthAuthorizationURL>https://yourcnx-webserver-name/oauth2/endpoint/connectionsProvider/authorize</OAuthAuthorizationURL>       

    <OAuthTokenURL>https://yourcnx-webserver-name/oauth2/endpoint/connectionsProvider/token</OAuthTokenURL>                           
    <OAuthClientId>connections_social_mobile</OAuthClientId> 
    ...
  • Change <AuthType/> to this line

  • Change <OAuthAuthorizationURL/> to this line, change your CNX Hostname

  • Change <OAuthTokenURL/> to this line, change your CNX Hostname

  • Just as an information this name was used in the registration command in the first steps (Default)

When you sync the nodes and restart your application servers, the setting is immediately activated! So users already use the Connections Mobile app (with saved credentials) are logged out and need to reauthenticate in the web form for OAuth!

Mobile Client configuration

When you add your server to the mobile app, you get the login screen of your Connections environment after providing the server hostname:

Login Form for Connections

Now the user needs to Grant the Access to the system.

Grant or Deny Access

Redirect to Mobile App

I tested in a VPN environment and got messages that no profile can be found for my credentials, but reload always showed the content. I think this needs to be tested a little bit more!

Author
Add a comment
Error
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *

Suggested Reading
Aaron Burden: Fountain pen and a notebook
Within the fixlist of the new released CR3 of IBM Connections 5 there are several new configuration options mentioned. One of the interesting ones for me is the mobile update parameter AllowRemoveAccount. The default value is “false” and your Connections environment still works before, but what’s changed when you set this to true? The official documentation is already uptodate and shows us: When you set this option to true, accounts can be removed from a mobile device without requiring the user to login and without any authorization check. The user is asked to confirm the deletion of an account before it is removed.
Read in about 3 min
Aaron Burden: Fountain pen and a notebook
Luis Benitez announced an update for the mobile applications of IBM Connections. Function is looking great. You can now view, approve and reject CCM Files with your mobile device. Screenshot from Socialize Me Read more: http://www.lbenitez.com/2013/11/ibm-connections-mobile-apps-updated.html   
Read in about 1 min
Aaron Burden: Fountain pen and a notebook
Today IBM released CR1 on IBM Fixcentral. CR1 is a set of 17 cumulative fixes and enable Mobile Admin (didn’t verified this, hope it will be there) too. Links for all CR1 Downloads (Multi OS Fixes) Fix list for IBM Connections 4.0 CR1 – Very long, seems to fix a lot IBM Connections 4.0 CR1 Post-install Deployment Configuration Steps Update strategy for IBM Connections 4.0 Cross-product relationship information You have to download 18 packages, because a new update installer is mandatory!
Read in about 1 min